Building Reputation with Microsoft Security Essentials

Internet Explorer 9 includes a great new application reputation feature driven by SmartScreen. As described in this Building Reputation blog post by Ryan Colvin, SmartScreen uses file hashes and Authenticode signatures to identify publishers and applications.

Microsoft Security Essentials has included reputation features since its initial release as well, although the reputation features aren’t visible to the user. Like SmartScreen, Microsoft Security Essentials (and its siblings Forefront Endpoint Protection and Windows Intune) uses Authenticode signatures and file hashes for reputation, but instead of identifying programs to the user, it identifies programs to the Microsoft Antimalware Engine. And our engine does some very interesting things.

Microsoft Security Essentials needs to be fast, and the fastest way to scan a file is to actually not scan the file at all – reputation helps it do just that. When Microsoft Security Essentials first encounters a file, it performs a malware scan using all the technologies it needs to determine if the file is malicious. If the file is not malicious (which is hopefully the case), there’s a background check that happens later, using idle cycles to see if the file’s Authenticode signature or hash matches an internal list of trusted publishers and known clean files. If the file is on the list, it will be skipped in future scans, either on access or on demand.

Next, Microsoft Security Essentials uses its internal reputation lists to control what information on unknown files it sends back to Microsoft, or what files it may ask users to submit to Microsoft for further analysis. Under the hood is a sophisticated runtime behavior-monitoring system, which looks for software acting suspiciously, like modifying an autorun.inf file to AutoPlay. The system is hooked up to our Dynamic Signature Service on the Internet, which can deliver detections as needed for fast-moving threats. Because of the need for speed and the fact that legitimate software will sometimes share behaviors with malware, that system will use the reputation lists to bypass files based on reputation.

Finally, the Microsoft Malware Protection Center monitors our Authenticode certificate and file hash lists for malware detections. In the exceedingly rare event of a detection of a file on our lists, we investigate and may adjust our lists or work with vendors and Certificate Authorities as needed.

How can developers get their applications added to the Microsoft Security Essentials reputation lists? The best way is using Authenticode signing on all binary files and download packages. For more information on signing, please see Eric Lawrence’s excellent post Everything you need to know about Authenticode Code Signing.

Authenticode signing is key because it aggregates reputation for all your files, and applies your reputation to brand new files as well. Further, the Microsoft Malware Protection Center uses our telemetry to determine what to add to our reputation lists only.

Authenticode signing doesn’t explicitly say anything about the safety of the signed code, as we in the MMPC know well, but it’s invaluable for determining reputation and separating legitimate code from known publishers from potentially dangerous code. As more code is signed, reputation-based systems like SmartScreen and that in Microsoft Security Essentials get better and better, and hiding malicious software gets harder and harder. So please, help your customers by signing your code and building reputation.